What Crypto Exchanges Can Learn From Banks

The age of cryptocurrencies is in its nascent stage, but is fully upon us. And, as with any new industry, there are growing pains.

Such is the case with digital currencies. No matter where you stand on the topic — they’re either here to stay or a passing fancy — the fact remains that bitcoin and its brethren are prime targets for bad actors.

Attacks on cryptocurrency exchanges are on the rise and user identities are being stolen, both pointing toward an ever-increasing need for enhanced security. In recent headlines, Coincheck, a cryptocurrency exchange in Japan, was hacked, and the $530 million stolen from roughly 250,000 users may represent the biggest heist to date. Elsewhere, mining marketplace NiceHash was taken for $64 million late last year and, of course, there was Mt. Gox.

In an interview with PYMNTS’ Karen Webster, Sherif Samy, senior vice president of North America at Entersekt, delved into the challenges of building robust security measures — even as the exchanges themselves are evolving with heavy consumer demand, volatility and hackers looking to do what they do best: steal.

How, then, to secure bitcoin and other cryptocurrencies in an age that resides in a gray area, is not well-regulated and in which laws and guidelines vary from country to country?

Such questions take on new importance, as Samy noted that “the hype of cryptocurrency and the fluctuation in the value of the cryptocurrencies in the market is forcing a lot of people to pay attention” to both sides of the equation. Consumers and exchange operators are becoming aware of the vulnerabilities that need to be addressed — though sometimes when it’s too late. At the same time, hackers are licking their proverbial chops and trying mightily to exploit those vulnerabilities.

Samy said exchanges are still relying on traditional methods of verification — the username and password — which are open to traditional methods of attack like phishing, middlemen and bots.

The process, writ large, is one in which a consumer desiring a bitcoin, for example, is trusting the exchange with all sorts of information — name, bank account and, in some cases, card data. In his enthusiasm to be the proud owner of said bitcoin, the customer has given the exchange, and perhaps by extension the hacker, his bank account info, his personally identifiable information, his Social Security number — “basically, they have my entire life,” according to Samy.

Mesmerized by the volatility of the owned crypto as prices swing wildly, the unsuspecting owner may not even be aware of what is taking place if the exchange is attacked after the transaction is complete. The conversation has been opened about regulation, either by a regulatory body or by the marketplaces themselves, and conversation is a solid starting point. But, as Samy told Webster, “Regulation is lagging behind.”

“Having said that, you really do not need regulation to implement a greater security that is suitable for that [cryptocurrency] case,” he added. Key issues include how information is stored, and where and how exchanges transfer that information between parties.

Cryptocurrency exchanges have taken “a small step in the right direction” by introducing multifactor authentication. But that often remains an optional security element, which means that most users do not activate this essential protection. Furthermore, it’s typically only performed at login. In a traditional ‘man-in-the-middle’ attack, where a consumer is duped to a hacker website, and the attack takes place in real time, this does not offer protection. Both the consumer and hacker wants to log in. The difference only comes during the transaction, when the hacker might be transferring large amounts out of your account. “Each transaction should be protected by some level of consumer consent, some level of authentication that says, ‘yes, this is me, this is the right address that I am sending [cryptos or money] to and, yes, I agree to it.’ All of this is necessary to be in place to let the cryptocurrency ecosystem thrive,” he said.

“There should also be some level of consumer consent, some level of authentication that says, ‘yes, this is me, this is the right address that I am sending [cryptos or money] to and, yes, I agree to it,’ ” Samy said. “All of this is necessary to be in place to let the cryptocurrency ecosystem thrive.”

For cryptocurrency exchanges, “the stakes are even higher than in the traditional banking world,” he added, because each crypto owner has a private key he uses to identify himself, and which allows him to transact in the ecosystem. If that key is compromised due to the way it is stored — perhaps in a central database — not only can money be drained from the account, but the bad guys can also make off with all the bitcoins, in effect hoarding them, because now they hold that key.

“If I have your key, it is like me having your signature and your checkbook,” Samy explained.

If the overarching principle is to make sure the person doing the transacting is, well, the right person, Entersekt has set about making the mobile device into a trusted device via secure channels — several secure channels, in fact.

That method makes sense in a world where “mobile first” is becoming a way of life, and in which factors proving who is holding the device in his hand can be presented in several ways. The first is that this is the right device that is talking to the right exchange because there are security systems talking to each other, using software features that are embedded in the mobile app. The bad guys would have to replicate biometrics and steal the phone itself to get anything done, which is easier said than done.

Samy pointed to Entersekt’s success in banking in 45 countries as proof-positive that a “trusted device” method works along with the “virtual handshake” that takes place between a unique device and the bank — or, in this case, crypto exchange’s — operations. He noted that one banking customer saw its phishing and bot attacks disappear in a month after working with Entersekt, an encouraging blueprint for crypto operators. And a key benefit of using an industry-leading solution which is compliant with the most stringent banking regulations is that when the regulations arrive in the cryptocurrency-world, your organization will be ready.

Customers want to know that they have chosen an exchange that values their money and takes security seriously. With all the hacks out there, this will become a key feature differentiating the serious exchanges from the also-rans, and customers will increasingly choose exchanges based on this.

Once the trust has been built and there is a secure method for consumers to transact, and crypto exchanges can be sure this is the right consumer and the right device, then “it is not only about the security features, but about the innovation and services that can be offered on top of the security infrastructure,” according to Samy. These assurances can go a long way in the evolution of the cryptocurrency world because “now I can do more.”